Frontend: Harden NPM usage and add version overrides to package.json

Signed-off-by: Michael Mayer <michael@photoprism.app>

Dockerfile

@@ -1,6 +1,9 @@
 # Ubuntu 25.04 (Plucky Puffin)
 FROM photoprism/develop:250907-plucky
 
+# Harden npm usage by default (applies to npm ci / install in dev container)
+ENV NPM_CONFIG_IGNORE_SCRIPTS=true
+
 ## Alternative Environments:
 # FROM photoprism/develop:armv7    # ARMv7 (32bit)
 # FROM photoprism/develop:plucky   # Ubuntu 25.04 (Plucky Puffin)
@@ -21,4 +24,4 @@ WORKDIR "/go/src/github.com/photoprism/photoprism"
 COPY . .
 COPY --chown=root:root /scripts/dist/ /scripts/
 
-RUN sudo /scripts/install-yt-dlp.sh
+RUN sudo /scripts/install-yt-dlp.sh

Makefile

@@ -4,6 +4,7 @@
 # more about our team, products and services: https://www.photoprism.app/
 
 export GO111MODULE=on
+export NPM_CONFIG_IGNORE_SCRIPTS ?= true
 
 -include .semver
 -include .env
@@ -247,7 +248,7 @@ dep-list:
 dep-npm:
 	sudo npm install -g npm
 dep-js:
-	(cd frontend && npm ci --no-update-notifier --no-audit)
+	(cd frontend && npm ci --ignore-scripts --no-update-notifier --no-audit)
 	# TODO: If in the future we want to test in a real browser environment, add this (Playwright)
 	# (cd frontend && npx playwright install chromium)
 dep-codex:

frontend/package.json

@@ -135,5 +135,9 @@
     "node": ">= 18.0.0",
     "npm": ">= 9.0.0",
     "yarn": "please use npm"
+  },
+  "overrides": {
+    "color-convert": "2.0.1",
+    "color-name": "1.1.4"
   }
 }